Skip to main content

Fraudsters exploit weak bank security process to add fake cards on Apple Pay

Apple Pay Parking TIckets
Where there’s a will, there’s a way, and it seems that fraudsters have finally found a way into Apple Pay. However, the problem seems to be less with Apple’s security system, and more with individual banks’ processes for verifying credit cards for the Apple Pay system.

Payment expert Cherian Abraham, who works with banks and businesses to set up mobile payment infrastructure, revealed the issue of fraud in a blog post. Fraud “is growing like a weed, and the bank is unable to tell friend from foe,” he wrote.

It seems that Apple has little control over how banks verify credit cards that are used on Apple Pay.

Abraham noted that fraud accounts for 6 percent of Apple Pay transactions, which is much higher than the 0.1 percent of card swipe transactions that are fraudulent. However, it turns out that fraud rates vary from bank to bank, depending on their security protocols.

An Apple spokesperson told the Wall Street Journal that Apple Pay is “designed to be extremely secure and protect a user’s personal information,” adding that “banks are always reviewing and improving their approval process, which varies by bank.”

In other words, it seems that Apple has little control over how banks verify credit cards that are used on Apple Pay. Apple only controls the user interface where users can input card information, not the security processes that confirm whether or not the card is valid.

Apple Pay stores encrypted payment data in a special, “secure element” on the phone, uses the Touch ID fingerprint sensor to prove that the iPhone’s owner is paying, and uses a token or numeric code to process the payment at the store, so that the actual credit card number is never communicated with the merchant.

The only time when fraudsters find a vulnerability in the system is when users add a credit card to Apple Pay. Apple simply sends the bank the following information so they can verify the card: kind of phone used, the last four digits of phone number, and the phone’s approximate location. The bank then verifies the card, declines it, or asks for more information to ensure that the user isn’t fraudulent.

According to Abraham, some banks made it incredibly easy for fraudsters to circumvent the added security. All they had to do was provide the last four digits of the target’s social security number, for example, which is easy enough to steal if you’re an identity thief.

It’s unclear what Apple is doing to combat these new fraudsters, but it seems that some banks are reevaluating their protocols to make sure customers’ cards stay safe.

Editors' Recommendations